Microsoft’s January Patch Tuesday fixes a critical Windows Media flaw

SOFTWARE PATCH HOUSE Microsoft has released its first Patch Tuesday of the year, which fixed a critical flaw in its operating systems.

The first patch of the year is a big one including seven bulletins to address eight vulnerabilities. The first one, named MS12-004 and rated as critical, fixes a security hole in Windows Media Player.

The fix relates to how Windows Media handles a certain type of music instrument digital interface (MIDI) file and the way Directshow, part of DirectX, analyses media files. A successful exploit could give an attacker the same rights as the owner.

Wolfgang Kandek, CTO of IT security firm Qualys said, "Attacks against this vulnerability can be both through e-mail or hosting the media file on a website. They have the potential to be used in a drive-by-download attack."

As we mentioned last week, the bulletin is rated critical for all versions of Windows apart from Windows 7 and Windows Server 2008 R2, for which it is classed as important.

Bulletin MS12-001 comes under a new category called 'Security Feature Bypass' and is rated as important. The name gives it away somewhat and it addresses a problem with the Windows kernel which could allow an attacker to bypass an in depth feature called SafeSEH.

Microsoft said in a blog post, "This bypass is limited in scope to applications that make use of binaries that were built with Microsoft Visual C++ .NET 2003 RTM. Binaries that have been built with Microsoft Visual C++ .NET 2003 Service Pack 1 and beyond are not affected."

The remaining bulletins cover problems involving Microsoft Office, the anti-cross site scripting (AntiXSS) library and SSL 3.0 and TLS 1.0. For a full rundown on the entire January patch set take a look at Microsoft's security tech centre.

Most users will automatically download and install the updates, if automatic updates are enabled. If not, it's time to do it manually.

Updated
Amol Swarte, vulnerability labs manager at Qualys said, "In the last 4 years Microsoft has released only about 2 bulletins in January. So the 2012 Patch Tuesday with 7 bulletins seems bigger, but I won't read too much into it."

"Microsoft usually goes with a pattern of larger patches every other month, but patches for zero day and urgent vulnerabilities break this pattern. We have no reason to believe that Microsoft will release more patches in 2012 as compared to last two years and it's not a concern at this point." µ